WEBVTT 00:01.660 --> 00:07.900 Another process Identification command that can be used to list processes is S3. 00:08.990 --> 00:09.710 Here. 00:09.710 --> 00:15.260 So this command shows the same list of processes as the PS list. 00:15.290 --> 00:27.590 But I Dentation is also used to identify child and parent processes, so run the PS3 PS3 plugin by typing 00:27.590 --> 00:32.150 this PS3 command and click enter. 00:34.500 --> 00:37.590 As you can see, we got an output here. 00:37.770 --> 00:39.510 Now, copy this. 00:40.650 --> 00:44.370 And click on the notepad so we can analyze it further. 00:45.080 --> 00:45.590 Here. 00:46.610 --> 00:47.240 So. 00:48.600 --> 01:00.330 In this here, the last five processes are listed in Explorer dot exe and VMware User Cmd.exe, VMware 01:00.330 --> 01:02.890 Tray X and Reader SL. 01:03.000 --> 01:11.110 So and here explorer by itself so is not intended while all the others are. 01:11.130 --> 01:19.860 So indicating that they are child process of explorer explorer dot exe, which is the parent process. 01:19.860 --> 01:24.090 So now we're going to use another another command here. 01:26.060 --> 01:27.470 Named P. 01:27.470 --> 01:29.490 S scan here. 01:29.510 --> 01:38.930 So the scan command displays inactive and even hidden processes that can be used by malware such as 01:38.930 --> 01:46.610 Rootkits and are very, very well known for doing just that to evade discovery by users and antivirus 01:46.610 --> 01:47.410 programs. 01:47.420 --> 01:53.570 So now we're going to use the profile because this needs a profile here. 01:54.350 --> 02:00.370 Now, as you as you remember, our profile was the Windows XP Service Pack two. 02:00.380 --> 02:06.650 But in order to remember that I'm going to I'm going to just imageinfo here and we're going to get the 02:06.650 --> 02:10.640 Windows XP Service Pack two. 02:12.950 --> 02:13.250 Here. 02:13.250 --> 02:16.990 So as you can see, this is service pack two and 32 bit x. 02:17.780 --> 02:18.200 Here. 02:18.230 --> 02:28.070 We can also use the profile of service pack 2 to 3, but it's always better to use first profile in 02:28.070 --> 02:28.850 volatility. 02:28.880 --> 02:29.480 Here. 02:30.660 --> 02:35.790 So now we're going to use the scan scan. 02:35.790 --> 02:46.460 And after like before the specifying file file, memory file, we need to add the profile here. 02:46.470 --> 02:47.550 Profile. 02:49.060 --> 02:53.290 Equals Windows XP Service Pack two. 02:53.710 --> 02:54.460 86. 02:54.460 --> 02:55.630 Here now. 02:57.450 --> 02:58.590 Click Enter. 03:00.470 --> 03:02.600 Here we have this. 03:03.880 --> 03:05.140 Now we're going to. 03:07.250 --> 03:08.200 Copy this. 03:08.240 --> 03:09.590 Two more. 03:10.260 --> 03:13.260 For further investigation on the notepad. 03:14.360 --> 03:15.020 Here. 03:16.920 --> 03:19.110 This is our output result. 03:21.920 --> 03:26.290 So since we don't need time exited here, we can delete it. 03:26.300 --> 03:29.840 So we can zoom in further. 03:34.770 --> 03:35.310 Here. 03:38.730 --> 03:39.210 Yeah. 03:39.480 --> 03:46.080 So the output of the scan plugin in this memory address is as follows here. 03:46.470 --> 03:53.310 So the output of both PS list and PS scan comments will be compared to observe any anomalies. 03:53.310 --> 03:56.400 So we need to compare this. 03:57.110 --> 04:03.050 With the previous command that we used scan. 04:03.230 --> 04:12.590 So actually, let's compare it, see if we got any, uh, different results or if we have any hidden 04:12.710 --> 04:13.880 processes. 04:15.690 --> 04:16.050 Here. 04:16.050 --> 04:17.940 We're gonna add another tab. 04:18.120 --> 04:20.160 And as you can see here. 04:21.410 --> 04:25.670 We will observe it in lectures, but for now. 04:27.290 --> 04:33.020 It's like we don't have any hidden processes because as you can see here, all of these lines is almost 04:33.020 --> 04:35.750 the same if we just delete this command. 04:37.490 --> 04:41.270 Yeah, they are actually almost the same files. 04:43.600 --> 04:43.990 Let's. 04:43.990 --> 04:44.590 Yeah. 04:45.440 --> 04:49.290 As you can see here, both of them has 25 lines in it. 04:49.310 --> 04:51.500 So in next. 04:53.330 --> 04:57.590 The plugin we have is ps x v here. 04:57.980 --> 04:59.660 Now we're going to use p. 05:00.350 --> 05:01.370 S x. 05:01.370 --> 05:03.050 Vive Ps6. 05:03.080 --> 05:03.950 Vive. 05:04.750 --> 05:11.680 So as with the scan plugin, the ps6 is used to find and list hidden processes. 05:11.770 --> 05:18.940 But with Ps6, however, a variety of scans are run, including the PS list and PS scan here. 05:18.940 --> 05:22.930 So in order to run this command you need to specify the profile. 05:22.930 --> 05:24.160 So we already did. 05:24.160 --> 05:26.380 And yeah, click on Enter. 05:31.180 --> 05:36.100 Yeah, we got actually as you can see, we got the different results from previous commands. 05:36.130 --> 05:37.240 Copy it. 05:37.240 --> 05:38.980 And here. 05:41.600 --> 05:42.290 Can you see it? 05:42.290 --> 05:43.410 Actually, clearly? 05:43.430 --> 05:44.030 Yeah. 05:44.540 --> 05:54.800 So the Ps6 Vive plugin lists the processes and compares the outputs listed as true or false. 05:54.980 --> 05:59.180 So a false output means that the process is hidden. 06:01.730 --> 06:02.300 Here. 06:02.330 --> 06:04.550 It means that process is hidden. 06:06.120 --> 06:08.190 Uh, that as in the C. 06:08.190 --> 06:14.220 S, r, s s that X session and this chart here. 06:15.340 --> 06:16.900 This means that. 06:18.540 --> 06:28.890 Yeah, with false outputs for system and SMS, SMS dot x and this here says dot, which tells us that 06:28.890 --> 06:35.640 the processes are not found in the in these areas and should be inspected further. 06:35.640 --> 06:42.480 So not now that we have weaved and documented the services that were running at the time the memory 06:42.480 --> 06:43.620 dump was taken. 06:43.620 --> 06:52.230 So let's try to find network services and connections that may also have been established at the time.